dify - 💡(How to fix) Fix WebApp SSO: SSO login from app domain redirects user to console (should always use members endpoints for WebApp auth)

Self Checks

• I have read the Contributing Guide and Language Policy.
• This is only for bug report, if you would like to ask a question, please head to Discussions.
• I have searched for existing issues search for existing issues, including closed ones.
• I confirm that I am using English to submit this report, otherwise it will be closed.
• 【中文用户 & Non English User】请使用英语提交，否则会被关闭 ：）
• Please do not modify this template :) and fill in all the required fields.

Dify version

langgenius/dify-web:7a1f0e32580a963404801ca4e7f53afa88db6aea

Cloud or Self Hosted

Self Hosted (Docker)

Steps to reproduce

1. Deploy Dify Enterprise in a self-hosted environment.
2. Configure OAuth2 SSO for Enterprise, for example Google SSO.
3. Open the published WebApp on the app domain and click the SSO login link.
4. The WebApp calls the console SSO endpoint instead of a WebApp-specific endpoint. Example: http://console.dify-xxx.../console/api/enterprise/sso/oauth2/login
5. Because the request is sent from the app domain to the console domain, the browser treats it as a cross-origin request and a CORS error occurs.
6. As a workaround, it is possible to handle the preflight and response headers in gateway_configs/Caddyfile.template, but this appears to be an application-side issue rather than a deployment misconfiguration.
7. After successful SSO authentication, the flow redirects back to the console domain instead of the WebApp domain. Example: the browser is redirected to http://console.dify-xxxx... rather than the published WebApp on the app domain.

✔️ Expected Behavior

When SSO is started from the WebApp:

• the WebApp should use an endpoint that works correctly for the app domain without requiring cross-domain CORS workarounds

• the SSO flow should complete and return the user to the WebApp domain

• the browser should not be redirected to the console domain unless the login was initiated from the console

❌ Actual Behavior

• the WebApp calls a console-domain SSO endpoint
• this causes a cross-origin request from app to console
• the browser raises a CORS error unless the reverse proxy is customized
• even after authentication, the redirect target is the console domain instead of the WebApp domain

Related code / suspected cause

The WebApp sign-in flows are not consistent.

web/app/(shareLayout)/webapp-signin/components/sso-auth.tsx uses the members SSO endpoints:

• /enterprise/sso/members/saml/login
• /enterprise/sso/members/oidc/login
• /enterprise/sso/members/oauth2/login

However, web/app/(shareLayout)/webapp-signin/components/external-member-sso-auth.tsx uses the non-members endpoints:

• /enterprise/sso/saml/login
• /enterprise/sso/oidc/login
• /enterprise/sso/oauth2/login

From the contracts, these non-members endpoints are defined under ConsoleSSO, which suggests they are console-oriented endpoints rather than WebApp member endpoints.

This mismatch likely explains why clicking SSO from the app domain redirects the browser to a console URL such as:

http://console.dify-xxxx/console/api/enterprise/sso/oauth2/login

instead of keeping the user in the app-domain WebApp flow.

Relevant files

• web/app/(shareLayout)/webapp-signin/components/external-member-sso-auth.tsx
• web/app/(shareLayout)/webapp-signin/components/sso-auth.tsx
• web/service/share.ts
• packages/contracts/generated/enterprise/orpc.gen.ts

Suspected fix

Use the members endpoints in external-member-sso-auth.tsx as well, to match the other WebApp sign-in flow:

• /enterprise/sso/members/saml/login
• /enterprise/sso/members/oidc/login
• /enterprise/sso/members/oauth2/login